FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

This article describes how to configure LDAP over SSL.
LDAP traffic is secured by SSL.

In this scenario, a Microsoft Windows Active Directory (AD) server is used as Certificate Authority (CA).
Certificate services have been added as a role and the CA certificate is available for export already.

1) Microsoft Windows Certificate Authority server:

On AD server, execute the MMC (Microsoft Management Console).
Go to File and select 'Add/Remove Snap-in', select 'Certificates' and then select 'Add':

Select 'Computer account':
Select 'Local computer' and select 'Finish':
'Certificates' appears on the left hand side.
Expand the tree and go to Personal -> Certificates.
Select the certificate, go to All Tasks and select 'Export':
Certificate Export Wizard appears, select 'next':

Do not Export the Private Key:
DER selected (file format):

Specify the name of the file and select 'next':
Complete the Certificate Export Wizard and select 'Finish':

There is a success message after finishing this wizard.
2) FortiGate.
Import the CA Certificate (which has been exported in the steps earlier) on the FortiGate.
Go to System -> Certificates > select 'Import CA Certificate' and upload the file:
Create a new 'LDAPS' server from GUI and select the imported certificate:
 -If no certificate is selected, FortiGate will accept anything from the LDAPS server.
- If a certificate is selected, FortiGate will only accept certificates signed by that CA certificate.
Verify the communication between FortiGate and AD server using packet capture and sniffer.
After 3-way handshake, can see transaction between the client and server.
'Hello Exchange' -> Client Hello -> Server Hello -> Server Hello Done.

The certificate send by the LDAPS server is seen in the packet labeled as 'Certificate, Client Key Exchange, …'.
Unlike regular LDAP over tcp/389 it is not possible to see LDAP queries and replies.
For troubleshooting purposes non-secure LDAP can be helpful though.
# diagnose sniffer packet any "host and port 636"
filters=[host and port 636]
3.653907 -> syn 2104591803
3.655022 -> syn 3985690082 ack 2104591804
3.655066 -> ack 3985690083
3.655524 -> psh 2104591804 ack 3985690083
3.656473 -> 3985690083 ack 2104592128